Verizon Data Breach Study Finds Little Progress in Containing Malware

Some of Verizon’s findings should be staggering enough to convince IT professionals to take steps to fully protect their networks and applications.

Phishing scams are becoming more effective. Verizon found that 23 percent of phishing email recipients are now opening the messages, and a whopping 11 percent of those unsuspecting victims are opening associated attachments. It takes just 82 seconds from the time a phishing campaign is launched to the moment it hooks its first victim.

Malware is another problem companies need to worry about. Verizon found that 20,000 organizations it studied intercepted 170 million malware events. To increase the chances of a successful malware infection, hackers continually made slight modifications to the malware code each time they used it to try to hide it from anti-malware scanners. In other words, if the cyber-criminals were persistent enough, they were able to get past the antivirus defenses to compromise computer systems with relative ease.

Verizon found that malicious hackers could target more than 7 million vulnerabilities, though most hackers focus solely on 10 vulnerabilities. Better yet, for the vast majority of the 7 million vulnerabilities, patches have been available for months. There’s just one problem: most systems are not patched and Verizon even detected un-patched vulnerabilities dating back to 1999.

A breach can occur on a network in a flash, Verizon found. In fact, the company said that 38 percent of systems were compromised in mere “seconds.” Once infected, the compromised system communicates with other machines on the network and before long, malware spreads and wreaks havoc.

While it can often take a long time for companies to find a threat, once they do, it’s no guarantee they’ll fix it quickly. In fact, 38 percent of respondents told Verizon that it takes days to contain a threat that works its way onto a company’s network.

Losing customer records can be extremely costly, Verizon discovered. The company analyzed cyber-liability insurance claims and found that the average cost of a breach of 1,000 records can be between $52,000 and $87,000, or between $52 and $87 per record. If 10 million records are stolen, the total claim will range between $2.1 million and $52 million. But at this scale, at least the cost per breach drops down to 22 cents to 52 cents per record.

Human error continues to be one of the best ways for malicious hackers to gain access to a company’s records. In fact, the top four patterns malicious hackers use to attack companies focus on human error and system misuse, including directly targeting employees.

According to Verizon, the most likely place for hackers to target is a point-of-sale device that processes and stores valuable credit card information. In addition, malicious hackers are capturing information through “cyber-espionage” and by utilizing Internet applications. Denial-of-service attacks and physical theft were among the least likely ways for hackers to obtain corporate data.

Verizon says that 70 organizations supplied it with data on breaches, which might not seem like much. However, from just those 70 organizations, Verizon discovered more than 2,100 data breaches and nearly 80,000 security incidents. That’s an average of more than 1,000 security incidents per organization, or about three per day. Verizon independently analyzed more than 20,000 organizations, but just 70 of them supplied data on breaches to the company.

The Internet of things, or the term for previously disconnected devices that are now coming online, is one of the few small concerns from Verizon’s study. In fact, the company found that the number of malware examples attacking Internet of things devices on the Web “was extremely low,” adding that when malware was discovered, it was typically “resource-wasting, but low-impact, infections.”